CN1901448A - Connecting identification system in communication network and realizing method - Google Patents
Connecting identification system in communication network and realizing method Download PDFInfo
- Publication number
- CN1901448A CN1901448A CN 200510085492 CN200510085492A CN1901448A CN 1901448 A CN1901448 A CN 1901448A CN 200510085492 CN200510085492 CN 200510085492 CN 200510085492 A CN200510085492 A CN 200510085492A CN 1901448 A CN1901448 A CN 1901448A
- Authority
- CN
- China
- Prior art keywords
- authentication
- service
- client
- node
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
Abstract
This invention relates to a method for realizing access authentication in a communication network, in which, a client end initiates authentication to a centralized authentication server to get a result, then sends the result along with service request messages to a service authentication node, which carries out necessary obtained service and integral authentication process to get the authentication result against the client end, therefore, the realization of this invention can support the combined usage of the authentication of a third party and increment service business, such as the authentication role of a third party (CA) between a bank and users and the role of banks between users and business. This invention also supports the combined usage of business runners and increment service providers and the combined application of SIP and Web networks.
Description
Technical field
The present invention relates to network communications technology field, relate in particular to the system and the implementation method of access authentication in a kind of communication network.
Background technology
NGN (next generation network) and Internet (the Internet) are two macroreticular systems of separate interdependence again at present.The new business of business, the especially NGN of the integrated services NGI (Next Generation Internet) of NGN definition all derives from NGI.
One of key that two nets merge is exactly the fusion of user and user property, thereby guarantees that the user can both and obtain service by authentication on NGN and NGI network.
At present, Passport is a kind of user's on-line authentication service of Microsoft's design.This authenticating user identification service can be enjoyed in the signatory website of Passport, and need not to tangle in safeguarding own customer certification system.But, it should be noted that Passport service itself does not relate to the problem of authorizing of user right, this business also needs to be finished by concrete ASP (application service provider).
The basic service that Passport provides is SSI (Single Sign-In, disposable logining), and in addition, Passport also provides two selectable services:
(1) Passport rapid payment: storage user's credit card information, to make things convenient for the process of electronic transaction;
(2) children Passport service: make children have own specific identity, enjoy the certain social protection.
Contain following personal information in present Passport 1.0 versions:
User ' s first and last names, user's name;
Nickname, the pet name;
Gender, sex;
Date of birth, the birthday;
Preferred language, first-selected language;
Time zone, the time zone;
Occupation, occupation;
Secret question and answer, secret problem and answer are used to give for change the password information that the user forgets.
If the service of Passport rapid payment then also has Passport Wallet Profile (the Electronic Wallet parameter set of passport) information.It should be noted that in the Passport2.0 version Microsoft will allow ASP and ISP (ISP) to create and safeguard Passport for its user.
In the log-on webpage of signatory website, the user inputs Passport login name and password.The user is redirected to the Passport server, and obtains individual's Cookie Profile (Cookie parameter set) enciphered message.On signatory Website server com component---Passport Manager (password management) will accept and decipher these information, and determine whether the user has corresponding authority.In the signatory network address of other Passport of visit, Passport directly provides Cookie Profile to it, need not to import once more username and password (this function is Cobranding).At last, when the user withdraws from from Passport, system will delete Cookie Profile in this locality.
This shows that Passport is a kind of concentrated Verification System, user profile is kept in the Passport integrated data store with Triple DES (encryption of three secondary data) encryption method, and transmits by SSL (security socket layer) agreement.Passport will provide different Triple DES secret keys according to different signatory websites.
Though for most users, the safety assurance that above-mentioned authentication mechanism provides is trustworthy, thus they can be on the computer of oneself the relieved personal information of depositing.Yet last year, a researcher found leak once more in the Passport authentication service, comprised that the user profile of user name, password and credit card password etc. all might be stolen by this leak, surpassed 200,000,000 computers and was involved.To such an extent as to this leak is so obviously to invite people very panic.The hacker only need input a URL (assigned address information) who has the Passport user name and just can utilize the password reset service of Passprot server to obtain new password.Therefore, the potential safety hazard that exists of this authentication mechanism make the Passport authentication service can't be reliably in network service for corresponding authentication service is provided.
In addition, the self-characteristic by Passport causes it can't support the basic function of HSS (home subscriber server).Simultaneously, also can't support various CSCF (CSCF) entity and interaction protocol, thereby can't set up real-time communicating to connect that therefore, its application in telecommunications network will be restricted.
In sum, as can be seen, the application of Passport authentication mechanism in communication network exists corresponding potential safety hazard and limitation.
Summary of the invention
In view of above-mentioned existing in prior technology problem, the purpose of this invention is to provide the system and the implementation method of access authentication in a kind of communication network, thereby improve safe, the convenient and reliability that the verification process of various services is provided in the network service process.
The objective of the invention is to be achieved through the following technical solutions:
The invention provides the system of access authentication in a kind of communication network, comprising:
Client: provide authentication node to initiate authentication to Collective qualification server and service, and obtain the service that service providing node provides;
Collective qualification server: be used for the access network process of client is carried out authentication processing;
Service provides authentication node: authentication processing is carried out in the service that is used for need obtaining client;
The inclusive authentication processing module: the authentication result that provides authentication node according to Collective qualification server and service is carried out inclusive authentication to client access network and the process of obtaining service.
Described inclusive authentication processing module can be built in Collective qualification server and/or the service providing node.
Described Collective qualification server comprises:
Authentication in the communication network, authentication, accounting server AAAS, the user attaching server HSS among the internet multimedia subnet IMS.
Described service provides authentication node to comprise one at least, and described service provides authentication node to comprise: content provides node CP and/or service providing node SP.
The present invention also provides the implementation method of access authentication in a kind of communication network, comprising:
Client provides authentication node to initiate authentication to Collective qualification server and service, and the authentication result information that obtains is carried out inclusive authentication handle, and obtains the authentication result at client.
Described method specifically comprises:
A, client are initiated authentication and are obtained the Collective qualification result to the Collective qualification server;
B, client provide authentication node with described Collective qualification result with the business request information service of sending to, and provide authentication node that authentication and inclusive authentication that it carries out the service that need obtain are handled by described service, obtain authentication result at client.
Described method also comprises:
Client provides authentication node to send business request information to service, and described service provides authentication node notice client to carry out authentication processing to the Collective qualification server, and execution in step A.
Described steps A specifically comprises:
Client sends authentication request message to the Collective qualification server, is carrying network attribute, device attribute, Service Properties and/or the identity attribute information of client in the message;
The Collective qualification server authenticates described authentication request message determines this professional parameter information that allows of corresponding client, and returns to client as the Collective qualification result.
Loaded information comprises in the described business request information:
The device attribute of client, Service Properties and/or identity attribute information.
The described inclusive authentication of step B is handled and is specifically comprised:
Service providing node compares authentication result and the described Collective qualification result that it obtains service at client, determines finally can carry out the service parameter information that this business provides for client, and returns to client as the inclusive authentication result.
In internet multimedia subnet IMS, this method also comprises:
C, after client is finished given authentication processing and is obtained the inclusive authentication result, by service call conversation control function S-CSCF the inclusive authentication object information of client is registered on the user attaching server HSS.
Described step C comprises:
Client sends the registration message that is carrying the inclusive authentication object information to Proxy Call Session Control Function P-CSCF;
Described registration message is sent to the query call conversation control function I-CSCF in the network of client ownership, and is obtained the information of S-CSCF to the HSS inquiry by I-CSCF;
Described registration message is sent to S-CSCF, and the inclusive authentication object information of client in the registration message is registered on the HSS, simultaneously, carry out control operation by the business that S-CSCF carries out client according to described inclusive authentication object information by S-CSCF.
Described step C also comprises:
HSS authenticates the ability information of customer requirements registration, or requires other entities that described ability information is recognized, and after authentication was passed through, the ability information with this user was registered on the HSS again.
Among the present invention, after carrying out described step C, also comprise:
When caller makes a call to the called subscriber, then will send to HSS to called subscriber's Capability Requirement, the called user terminal that inquiry is corresponding, and return;
According to the processing that makes a call of the information of the called user terminal that returns.
As seen from the above technical solution provided by the invention, authentication mode provided by the invention can support the network integration widely and integrated services to use, and comprising:
The support third party authenticates the fusion application with the value-added service provider, such as the authentication role of third party CA (authentication center) between bank and user, the authentication role of bank between user and firm;
Support the fusion application of operator's data network and value added service provider, value added service provider obtains user's authentic authentication, thereby the value-added service that can run is provided by carrier network;
The fusion application of SIP (session initiation protocol) network and Web network, the network attribute that the SIP network provides the user to enrich has very big facility to the Network that provides quality assurance.
Description of drawings
Fig. 1 is the structural representation of system of the present invention;
Fig. 2 is the handling process schematic diagram of indirect certification mode of the present invention;
Fig. 3 is the application scenarios schematic diagram of Fig. 2;
Fig. 4 is the handling process schematic diagram of direct certification mode of the present invention;
Fig. 5 is the application scenarios schematic diagram of Fig. 4;
Fig. 6 is applied to processing procedure schematic diagram among the IMS for the present invention;
Fig. 7 is for using call handling process schematic diagram of the present invention.
Embodiment
The present invention mainly be at the user belong to NGN (next generation network), the applied environment that belongs to many ownership of NGI (Next Generation Internet) etc. again provides a kind of repeatedly authentication mechanism that belongs to more, promptly can utilize the authentication result of its other party to carry out inclusive authentication each other mutually, and can trigger the verification process of other ownership of client.
The present invention comprises following contents processing in the specific implementation process:
The first, the mechanism that the definition user multi-homing repeatedly authenticates;
The second, increase user's identity attribute;
The 3rd, increase user's contents attribute;
The 4th, increase user's network attribute.
For the present invention there being further understanding, specific implementation of the present invention is described in detail below in conjunction with accompanying drawing.
The present invention specifically comprises in the specific implementation process: the definition of a plurality of nodes, authentication attribute, authentication mechanism repeatedly.
1, the definition of a plurality of nodes
Define a plurality of main node, as shown in Figure 1, as Client (client) and 3Aserver (authentication, authentication, authorization server), CP (content provides) node, SP (service provides) node, and internodal mutual authentication protocol;
Described node 2 to node 4 can merge.
2, authentication attribute
Described authentication attribute kit includes network attribute, identity attribute, device attribute and contents attribute, wherein:
Network attribute comprises communication interface, communication protocol, the communication capacity of network;
Identity attribute comprises user's identifier (ID), safe context, sex, age, occupation, contact method, interest or the like the content relevant with user identity;
Device attribute comprises the relevant device attribute such as computing capability, storage capacity, communication capacity of subscriber equipment;
Contents attribute comprises document that the user has, picture, sound, data or the like content material and index thereof.
3, belong to repeatedly authentication mechanism more
As shown in Figure 1, CP or SP obtain user and terminal authentication attribute thereof by the network of Virtual network operator to network HSS (user attaching server), and whether coupling authentication attribute conforms to authentication requesting.If conform to, then provide corresponding service for the user.
To belong to repeatedly that authentication mechanism illustrates accordingly to described below more.
The described authentication mechanism that belongs to repeatedly is that a kind of CP/SP of help can be extensively and effectively insert the authentication mechanism of telecommunication user more, also is a kind of third party's authentication mechanism, guarantees alternately and the authenticity of both parties' identity.
Along with the variation of communication requirement, intelligent network is referred unprecedented height.Aspects such as data, content service will progressively be transferred in the profit area of network operation by traditional voice transmission at present.Relevant data shows that the SP/CP application service provider can obtain very high net profit margin, and for this reason, SP/CP needs can be extensively and the effective large-scale telecommunication user of access.
The invention provides the system of access authentication in a kind of communication network, especially a kind of multi-service provides the system that is used for access authentication under the situation, as shown in Figure 1, comprising:
Client: i.e. user Client provides authentication node to initiate authentication to Collective qualification server and service, and obtains the service that service providing node provides;
The Collective qualification server: be used for the access network process of client is carried out authentication processing, described Collective qualification server comprises the AAAS (authentication, authentication, accounting server) in the communication network;
Service provides authentication node: authentication processing is carried out in the service that is used for need obtaining client, and described service provides authentication node to comprise CP (content provides node) and/or SP (service providing node) etc.;
The inclusive authentication processing module: the authentication result that provides authentication node according to Collective qualification server and service is carried out inclusive authentication to client access network and the process of obtaining service; Described inclusive authentication processing module can be built in Collective qualification server and/or the service providing node.
As shown in Figure 1, node as client passes through visit tie point Point of Contact Visited-SPCF, as P-CSCF, and center tie point Central Point of Contact-SCPC, as ICSCF, communicate by letter with CP, SP with AAAS, the center tie point is also acted on behalf of Anchor proxy by anchor, communicate by letter with AAAS as S-CSCF, described inclusive authentication processing module is built among the CP/SP, is used to realize the inclusive authentication at client according to the AAAS authentication result.
The implementation method of access authentication in the communication network of the present invention is specially and a kind of belongs to repeatedly authentication mechanism more, specifically comprises direct certification mode and two kinds of implementations of certification mode indirectly, wherein:
Described indirect certification mode specifically comprises following processing procedure as shown in Figures 2 and 3:
Step 201: the user is to CP/SP request service Service Req;
As shown in Figure 2, terminal Client user initiates service request Service Request to CP/SP, comprises multiple possibility information in the request, wherein has:
Request is connected to purpose SP/CP information;
Device attribute information;
Identity attribute information;
Service Properties information;
The particular content front that each information comprises is described.
Step 202:CP/SP node returns service response message Service Resp to the user;
The CP/SP node be because can not discern user property, so return information gives the user, requires the user to authenticate to AAAS, and the subsidiary information that goes up CP self.
Step 203: the user promptly sends authentication request packet to AAAS to the AAAS request authentication;
The terminal use initiates authentication request to AAAS, comprises multiple possibility information in the request, comprising:
The user network attribute is specially network channel mass parameter of the access network passage that distributed/ consulted etc.;
The subscriber equipment attribute;
The user identity attribute;
User's Service Properties;
Request is connected to purpose SP/CP.
Step 204:AAAS returns request-reply;
AAAS receives authentication request, according to user's network attribute, identity attribute, signatory attribute, service request, registers attribute with the business of CP/SP and compares, and determines whether the user can obtain service;
AAAS is encapsulated as a User key (user key) with authentication result, has wherein stipulated the various parameters in this operation flow, specifically comprises:
User network parameter, operator's bearer network parameter, request method of service.
Step 205: the user asks CP to provide professional once more, i.e. business request information;
The user uses encrypted transmission user key to CP request service;
Step 206:CP returns the service request result, promptly returns response message;
CP user's request and User key compare service list and service parameter that CP itself provides, and determining self provides service, still has its subordinate's SP that service is provided, and the service of returning provides parameter.
The specific implementation process of described direct certification mode specifically comprises following processing procedure as shown in Figure 4 and Figure 5:
Step 41: the user sends AAA Req (authentication, authentication, charging request) message to AAAS;
The terminal use initiates the business authentication request to AAAS, comprises multiple possibility information in the request, and wherein the information that may comprise specifically has:
The user network attribute is specially the network channel mass parameter of the access network passage that distributed/ consulted;
The user terminal attribute;
The user identity attribute;
Request is connected to purpose SP/CP;
User's Service Properties;
Certainly the address that also comprises AAAS;
Step 42:AAAS returns request-reply;
AAAS receives authentication request, according to user's network attribute, identity attribute, signatory attribute, service request, registers attribute with the business of CP/SP and compares, and determines whether the user can obtain service;
AAAS is encapsulated as a User key to authentication result, has wherein stipulated the various parameters in this operation flow: user network parameter, operator's bearer network parameter, request method of service;
Step 43: the user sends Service req (service request) message to CP/SP;
The user issues CP/SP with service request and User key, specifically can use encrypted tunnel to carry out the transmission of this message;
Step 44:CP returns service request replies message;
CP is according to the authentication result of AAAS, i.e. user's request and User key compare service list and service parameter that CP itself provides, and determining self provides service, still has its subordinate's SP that service is provided, and the service of returning provides parameter.
Below in conjunction with accompanying drawing concrete application of the present invention is described, promptly describe the implementation method that repeatedly authenticates in many ownership of IMS (internet multimedia subnet) based on the present invention.
As shown in Figure 6, the corresponding concrete processing procedure of using comprises:
Step 61: the user is to P-CSCF (proxy CSCF) registration, and the user carries the ability information of oneself in registration message Register;
Described user be client to ability information be to handle the inclusive authentication object information that the back obtains according to inclusive authentication;
Step 62:P-CSCF sends to I-CSCF (inquiry CSCF) with registration message Register;
The information that step 63:I-CSCF inquires about S-CSCF (professional CSCF) to HSS, i.e. query messages Cx-Query/Cx-Select-Pull;
Step 64:HSS returns the information of the S-CSCF that inquires, i.e. query response message Cx-Query Resp/Cx-Select-Pull Resp to I-CSCF;
Step 65:I-CSCF sends to described S-CSCF according to the information of the S-CSCF that returns with registration message;
Step 66:S-CSCF is registered to HSS with UE (user) ability information, promptly registers by Cx-put/Cx-Pull message;
In this step, HSS can authenticate the ability information of UE registration, or requires other entities that described ability information is recognized, after authentication is passed through, again it is registered on the HSS, so that the ability information of the corresponding registrations of application such as CP, SP, S-CSCF is carried out business control;
Step 67:HSS preserves the ability information of UE get off, and returns response and gives S-CSCF, i.e. Cx-put Resp/Cx-Pull Resp message;
Step 68:S-CSCF finishes professional control Service Control;
Step 69:S-CSCF returns the message that succeeds in registration (i.e. 200 OK message) and gives I-CSCF;
Step 610:I-CSCF returns and succeeds in registration to P-CSCF;
Step 611:P-CSCF returns and succeeds in registration to the user.
Again as shown in Figure 7, comprise caller network, caller home network among the figure, and called network, called home network, described caller home network comprises: S-CSCF# 1 and I-CSCF# 1, described called home network comprises: S-CSCF# 2 and I-CSCF# 2 mainly comprise based on the call handling process in the I MS systems that belong to repeatedly authentication mechanism of the present invention more:
Step 1-3, caller initiation session comprise that initial session describes agreement request Invite (initialSDP Offer), professional control are provided, and are provided request to I-CSCF# 2 by Session Description Protocol by S-CSCF# 1;
Step 4: with the Capability Requirement of called UE with to be sent to the HSS inquiry by name called, promptly send query messages Location Query, this is because use same user ID to register a plurality of user terminals, and each terminal is may ability variant;
Step 5:HSS returns a response Response message that satisfies the UE of UE Capability Requirement, and I-CSCF# 2 routes the call to called S-CSCF# 2 according to the information of returning;
Afterwards, just can continue follow-up call handling process, be specially:
Step 6: the I-CSCF# 2 in the called home network sends initial SDP (Session Description Protocol) to S-CSCF# 2 solicitation message Invite is provided (initial SDP Offer);
Step 7: after described S-CSCF# 2 receives described solicitation message, carry out professional control operation and handle;
Step 8: and send described initial session to the network at called subscriber place and describe agreement solicitation message Invite (initial SDP Offer);
Step 9: the network at called subscriber place returns to described S-CSCF# 2 response message Offer is provided Response;
Step 10: described S-CSCF# 2 continues the described response message that provides is sent to I-CSCF# 2 in the called home network;
Step 11: the I-CSCF# 2 of called home network sends to the S-CSCF# 1 of caller home network response message is provided;
As shown in Figure 7, the described response message that provides can be by I-CSCF# 1 or directly send to corresponding S-CSCF# 1;
Step 12: the described response message that provides is sent to calling subscriber's network by S-CSCF# 1;
Step 13: calling subscriber's network will return configuration response message ResponseConf (Opt SDP) to S-CSCF# 1, comprise the Session Description Protocol of selection in the message; And described configuration response message turns back to called subscriber's network successively through step 14,15,16;
Step 17: after called subscriber's network receives described configuration response message, then return configure-ack message Conf Ack (Opt SDP), carrying the information of session description protocol of selecting in the message to S-CSCF# 2; And described configure-ack message turns back to calling subscriber's network successively through step 18,19,20;
Afterwards, between the calling and called user network, transmit configuration of reservations message Reservation Conf to step 28, carry out the reservation of two-way resource, and send ring back tone Ring to the calling subscriber by step 29 to step 32 by step 21; At last, send the response message of 200 oks by called subscriber's network to calling subscriber's network to step 36 by step 33, calling subscriber's network side then returns corresponding acknowledge message to called subscriber's network side by step 37 to step 40.
Each bar interactive messages between S-CSCF# 1 and I-CSCF# 2 in call handling process shown in Figure 7, the message shown in frame of broken lines among the figure can be directly mutual, also can carry out alternately via I-CSCF# 1.
Therefore, the present invention can support the network integration widely and integrated services to use, and comprising:
The support third party authenticates the fusion application with the value-added service provider, such as the authentication role of third party CA (authentication center) between bank and user, the authentication role of bank between user and firm.
Support the fusion application of operator's data network and value added service provider, value added service provider obtains user's authentic authentication, thereby the value-added service that can run is provided by carrier network
The fusion application of SIP (session initiation protocol) network and Web network, the network attribute that the SIP network provides the user to enrich has very big facility to the Network that provides quality assurance.
The above; only for the preferable embodiment of the present invention, but protection scope of the present invention is not limited thereto, and anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; the variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.
Claims (14)
1, the system of access authentication in a kind of communication network is characterized in that, comprising:
Client: provide authentication node to initiate authentication to Collective qualification server and service, and obtain the service that service providing node provides;
Collective qualification server: be used for the access network process of client is carried out authentication processing;
Service provides authentication node: authentication processing is carried out in the service that is used for need obtaining client;
The inclusive authentication processing module: the authentication result that provides authentication node according to Collective qualification server and service is carried out inclusive authentication to client access network and the process of obtaining service.
2, the system of access authentication in the communication network according to claim 1 is characterized in that, described inclusive authentication processing module can be built in Collective qualification server and/or the service providing node.
3, the system of access authentication in the communication network according to claim 1 and 2 is characterized in that, described Collective qualification server comprises:
Authentication in the communication network, authentication, accounting server AAAS, the user attaching server HSS among the internet multimedia subnet IMS.
4, the system of access authentication in the communication network according to claim 1 and 2 is characterized in that described service provides authentication node to comprise:
At least one content provides node CP and/or service providing node SP.
5, the implementation method of access authentication in a kind of communication network is characterized in that, comprising:
Client provides authentication node to initiate authentication to Collective qualification server and service, and the authentication result information that obtains is carried out inclusive authentication handle, and obtains the authentication result at client.
6, the implementation method of access authentication in the communication network according to claim 5 is characterized in that described method specifically comprises:
A, client are initiated authentication and are obtained the Collective qualification result to the Collective qualification server;
B, client provide authentication node with described Collective qualification result with the business request information service of sending to, and provide authentication node that authentication and inclusive authentication that it carries out the service that need obtain are handled by described service, obtain authentication result at client.
7, the implementation method of access authentication in the communication network according to claim 6 is characterized in that described method also comprises:
Client provides authentication node to send business request information to service, and described service provides authentication node notice client to carry out authentication processing to the Collective qualification server, and execution in step A.
8, according to the implementation method of access authentication in claim 6 or the 7 described communication networks, it is characterized in that described steps A specifically comprises:
Client sends authentication request message to the Collective qualification server, is carrying network attribute, device attribute, Service Properties and/or the identity attribute information of client in the message;
The Collective qualification server authenticates described authentication request message determines this professional parameter information that allows of corresponding client, and returns to client as the Collective qualification result.
9, according to the implementation method of access authentication in claim 6 or the 7 described communication networks, it is characterized in that loaded information comprises in the described business request information:
The device attribute of client, Service Properties and/or identity attribute information.
According to the implementation method of access authentication in claim 6 or the 7 described communication networks, it is characterized in that 10, the described inclusive authentication of step B is handled and specifically comprised:
Service providing node compares authentication result and the described Collective qualification result that it obtains service at client, determines finally can carry out the service parameter information that this business provides for client, and returns to client as the inclusive authentication result.
11, according to the implementation method of access authentication in claim 5, the 6 or 7 described communication networks, it is characterized in that in internet multimedia subnet IMS, this method also comprises:
C, after client is finished given authentication processing and is obtained the inclusive authentication result, by service call conversation control function S-CSCF the inclusive authentication object information of client is registered on the user attaching server HSS.
12, the implementation method of access authentication in the communication network according to claim 11 is characterized in that described step C comprises:
Client sends the registration message that is carrying the inclusive authentication object information to Proxy Call Session Control Function P-CSCF;
Described registration message is sent to the query call conversation control function I-CSCF in the network of client ownership, and is obtained the information of S-CSCF to the HSS inquiry by I-CSCF;
Described registration message is sent to S-CSCF, and the inclusive authentication object information of client in the registration message is registered on the HSS, simultaneously, carry out control operation by the business that S-CSCF carries out client according to described inclusive authentication object information by S-CSCF.
13, the implementation method of access authentication in the communication network according to claim 11 is characterized in that described step C also comprises:
HSS authenticates the ability information of customer requirements registration, or requires other entities that described ability information is recognized, and after authentication was passed through, the ability information with this user was registered on the HSS again.
14, the implementation method of access authentication in the communication network according to claim 11 is characterized in that, carries out after the described step C, also comprises:
When caller makes a call to the called subscriber, then will send to HSS to called subscriber's Capability Requirement, the called user terminal that inquiry is corresponding, and return;
According to the processing that makes a call of the information of the called user terminal that returns.
Priority Applications (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200510085492 CN1901448B (en) | 2005-07-21 | 2005-07-21 | Access identification system in communication network and realizing method |
| EP06753062A EP1909430A4 (en) | 2005-07-21 | 2006-06-29 | Access authorization system of communication network and method thereof |
| PCT/CN2006/001497 WO2007009343A1 (en) | 2005-07-21 | 2006-06-29 | Access authorization system of communication network and method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200510085492 CN1901448B (en) | 2005-07-21 | 2005-07-21 | Access identification system in communication network and realizing method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1901448A true CN1901448A (en) | 2007-01-24 |
| CN1901448B CN1901448B (en) | 2010-12-01 |
Family
ID=37657203
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200510085492 Active CN1901448B (en) | 2005-07-21 | 2005-07-21 | Access identification system in communication network and realizing method |
Country Status (3)
| Country | Link |
|---|---|
| EP (1) | EP1909430A4 (en) |
| CN (1) | CN1901448B (en) |
| WO (1) | WO2007009343A1 (en) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008110099A1 (en) * | 2007-03-14 | 2008-09-18 | Huawei Technologies Co., Ltd. | Method, system and associated device for authenticating apparatus access to a communication network |
| CN101867475A (en) * | 2010-05-27 | 2010-10-20 | 华为终端有限公司 | Access authentication method and related device of remote control terminal service and communication system |
| CN101159923B (en) * | 2007-11-09 | 2010-12-08 | 华为技术有限公司 | Service processing method and system, SIP application access gateway module |
| CN101998405A (en) * | 2009-08-31 | 2011-03-30 | 中国移动通信集团公司 | WLAN access authentication based method for accessing services |
| WO2011038628A1 (en) * | 2009-09-29 | 2011-04-07 | 华为技术有限公司 | Method, access node and system for obtaining data |
| CN101350717B (en) * | 2007-07-18 | 2011-04-27 | 中国移动通信集团公司 | Method and system for logging on third party server through instant communication software |
| WO2012024910A1 (en) * | 2010-08-23 | 2012-03-01 | 中兴通讯股份有限公司 | Authentication method, apparatus and system |
| CN101610510B (en) * | 2009-06-10 | 2012-06-27 | 南京邮电大学 | Node legitimacy multiple-authentication method in layer cluster type wireless self-organization network |
| CN102624744A (en) * | 2012-04-06 | 2012-08-01 | 北京星网锐捷网络技术有限公司 | Authentication method, device and system of network device and network device |
| CN103259763A (en) * | 2012-02-16 | 2013-08-21 | 中国移动通信集团公司 | IP multi-media subsystem (IMS) domain login method, system and device |
| CN104683347A (en) * | 2015-03-12 | 2015-06-03 | 东北大学 | Signaling interaction method and trusted authentication system for carrying out trusted communication on basis of IMS (Information Management System) |
| CN105721163A (en) * | 2009-08-11 | 2016-06-29 | 中兴通讯股份有限公司 | System and method for accessing visited service provider |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101483525A (en) | 2009-01-22 | 2009-07-15 | 中兴通讯股份有限公司 | Implementing method for authentication center |
| CN103701757B (en) * | 2012-09-27 | 2017-05-10 | 中国电信股份有限公司 | Identity authentication method and system for service access |
| US11763303B1 (en) | 2017-03-10 | 2023-09-19 | Wells Fargo Bank, N.A. | Identity management service via a user-level token |
| US10721226B1 (en) | 2017-03-10 | 2020-07-21 | Wells Fargo Bank, N.A. | User-level token for user authentication via a user device |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2001035565A2 (en) * | 1999-10-26 | 2001-05-17 | At Home Corporation | Method and system for authorizing and authenticating users |
| US7221935B2 (en) * | 2002-02-28 | 2007-05-22 | Telefonaktiebolaget Lm Ericsson (Publ) | System, method and apparatus for federated single sign-on services |
| NO318091B1 (en) * | 2002-03-04 | 2005-01-31 | Telenor Asa | System for improved security and user flexibility in local wireless data networks |
| US20040181692A1 (en) * | 2003-01-13 | 2004-09-16 | Johanna Wild | Method and apparatus for providing network service information to a mobile station by a wireless local area network |
| CN1627683A (en) * | 2003-12-09 | 2005-06-15 | 鸿富锦精密工业(深圳)有限公司 | Unitary authentication authorization management system and method |
-
2005
- 2005-07-21 CN CN 200510085492 patent/CN1901448B/en active Active
-
2006
- 2006-06-29 EP EP06753062A patent/EP1909430A4/en not_active Withdrawn
- 2006-06-29 WO PCT/CN2006/001497 patent/WO2007009343A1/en active Application Filing
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101267365B (en) * | 2007-03-14 | 2011-08-03 | 华为技术有限公司 | Authentication method, system and device for communication network access of device |
| WO2008110099A1 (en) * | 2007-03-14 | 2008-09-18 | Huawei Technologies Co., Ltd. | Method, system and associated device for authenticating apparatus access to a communication network |
| CN101350717B (en) * | 2007-07-18 | 2011-04-27 | 中国移动通信集团公司 | Method and system for logging on third party server through instant communication software |
| CN101159923B (en) * | 2007-11-09 | 2010-12-08 | 华为技术有限公司 | Service processing method and system, SIP application access gateway module |
| CN101610510B (en) * | 2009-06-10 | 2012-06-27 | 南京邮电大学 | Node legitimacy multiple-authentication method in layer cluster type wireless self-organization network |
| CN105721163A (en) * | 2009-08-11 | 2016-06-29 | 中兴通讯股份有限公司 | System and method for accessing visited service provider |
| CN101998405A (en) * | 2009-08-31 | 2011-03-30 | 中国移动通信集团公司 | WLAN access authentication based method for accessing services |
| CN101998405B (en) * | 2009-08-31 | 2013-08-14 | 中国移动通信集团公司 | WLAN access authentication based method for accessing services |
| CN102035815B (en) * | 2009-09-29 | 2013-04-24 | 华为技术有限公司 | Data acquisition method, access node and system |
| US8434156B2 (en) | 2009-09-29 | 2013-04-30 | Huawei Technologies Co., Ltd. | Method, access node, and system for obtaining data |
| WO2011038628A1 (en) * | 2009-09-29 | 2011-04-07 | 华为技术有限公司 | Method, access node and system for obtaining data |
| CN101867475B (en) * | 2010-05-27 | 2013-04-24 | 华为终端有限公司 | Access authentication method and related device of remote control terminal service and communication system |
| CN101867475A (en) * | 2010-05-27 | 2010-10-20 | 华为终端有限公司 | Access authentication method and related device of remote control terminal service and communication system |
| WO2012024910A1 (en) * | 2010-08-23 | 2012-03-01 | 中兴通讯股份有限公司 | Authentication method, apparatus and system |
| CN103259763A (en) * | 2012-02-16 | 2013-08-21 | 中国移动通信集团公司 | IP multi-media subsystem (IMS) domain login method, system and device |
| CN103259763B (en) * | 2012-02-16 | 2016-07-06 | 中国移动通信集团公司 | IP Multimedia System IMS domain register method, system and device |
| CN102624744A (en) * | 2012-04-06 | 2012-08-01 | 北京星网锐捷网络技术有限公司 | Authentication method, device and system of network device and network device |
| CN102624744B (en) * | 2012-04-06 | 2014-09-10 | 北京星网锐捷网络技术有限公司 | Authentication method, device and system of network device and network device |
| CN104683347A (en) * | 2015-03-12 | 2015-06-03 | 东北大学 | Signaling interaction method and trusted authentication system for carrying out trusted communication on basis of IMS (Information Management System) |
| CN104683347B (en) * | 2015-03-12 | 2017-10-17 | 东北大学 | The signaling interaction method and authentic authentication system of trusted communications are carried out based on IMS |
Also Published As
| Publication number | Publication date |
|---|---|
| EP1909430A4 (en) | 2008-10-08 |
| WO2007009343A1 (en) | 2007-01-25 |
| EP1909430A1 (en) | 2008-04-09 |
| CN1901448B (en) | 2010-12-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1901448A (en) | Connecting identification system in communication network and realizing method | |
| US20220337632A1 (en) | System and method for connecting a communication to a client | |
| CN1852094A (en) | Method and system for protecting account of network business user | |
| CN1521978A (en) | Method and system for proof-of-possession operations associated with authentication assertions in a heterogeneous federated environment | |
| CN102196035B (en) | For providing the method and system of unified web service discovery | |
| CN101051898A (en) | Certifying method and its device for radio network end-to-end communication | |
| US9648006B2 (en) | System and method for communicating with a client application | |
| CN1701561A (en) | Authentication system based on address, device thereof, and program | |
| CN1726690A (en) | Method and system for native authentication protocols in a heterogeneous federated environment | |
| CN1514616A (en) | User register method and system of user attribution storage in comintion environment | |
| CN1681238A (en) | Key allocating method and key allocation system for encrypted communication | |
| US20110030047A1 (en) | Method, apparatus and system for protecting user information | |
| CN1315268C (en) | Method for authenticating users | |
| CN1514569A (en) | Method and system used for checking in different united environment | |
| CN1631000A (en) | Key management protocol and authentication system for securecontent delivery over the internet | |
| CN1787435A (en) | Providing tokens to access federated resources | |
| CN1514394A (en) | Method and system for executing register medium and resetting priority level operation in united environment | |
| CN1725680A (en) | Method and system for enabling trust infrastructure support for federated user lifecycle management | |
| CN101039311A (en) | Identification web page service network system and its authentication method | |
| CN1745356A (en) | Single sign-on secure service access | |
| CN1674577A (en) | Router and SIP server | |
| CN1946023A (en) | Authentication and authorization architecture for an access gateway | |
| US9832252B2 (en) | Systems, methods, and computer program products for third party authentication in communication services | |
| CN1855847A (en) | Public and private network service management systems and methods | |
| CN1553741A (en) | Method and system for providing user network roam |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |